Conformance Testing for FAPI Read/Write RPs

You can use the FAPI conformance suite (https://www.certification.openid.net/) to test your FAPI-RW Relying Party (RP) implementations.
In this case the conformance suite acts as the OpenID Provider (OP) and your client implementation acts as the relying party.

Please note that you can use a local instance of the FAPI conformance suite for your internal purposes but you must use https://www.certification.openid.net/ for certification submissions. You cannot certify with results obtained from a local instance.

Before You Begin

When submitting your test results, you must include logs from both the conformance suite and your client implementation. Please make sure that your client logs contain all the necessary information, e.g enabling debug level logging before running the tests may be needed.

When using a local instance of the conformance suite software, a self-signed certificate will be used for https endpoints. You may need to disable certificate checks in your client software.
https://www.certification.openid.net uses valid certificates issued by Letsencrypt and disabling certificate checks should not be necessary.

Testing Steps

Image 1: Test configuration

Go to https://www.certification.openid.net/ or to your local conformance suite instance, e.g https://localhost:8443/.

When using https://www.certification.openid.net/, log in using a Google or GitLab account, or any OpenID Provider that supports WebFinger.

From the “Select A Variant” dropdown, select “mtls” or “private_key_jwt” for FAPI-RW testing depending which type of client authentication you support.

“openbankinguk-*” versions must be used for UK Openbanking specific testing.

Fill in the configuration form (as per the guidance given in the form fields when empty). You can switch to the “JSON” tab to view/edit the configuration in the underlying JSON format. Changes to the form are automatically reflected in the JSON and vice versa. The JSON can be copied and saved locally to be pasted back in later. The server will automatically remember the most recent JSON you successfully created a test with.

Server jwks must include private keys

Contrary to what the tooltip implies, client jwks does not need to include private keys. Only the public keys will work

Click “Start Test Plan” button. You will be taken to a list of all the test modules in the plan.

Click a “Run New Test” button

Please read the description of the test in the light blue box near the top of the log page – this may contain specific instructions.

Runtime values that your client needs to use will be displayed by the test suite as highlighted in the following screenshot. The conformance suite will wait for requests from your client.

For FAPI-RW testing, your client is expected to perform the following steps:

Do OpenID discovery, using the discoveryUrl shown in the test suite front end.

Redirect to the authorization_endpoint obtained from discovery.

The conformance suite will return a 302 redirect straight away without the user taking any action – so there is no need for this to even be in a web browser.

Exchange the authorization code for an access token at the token_endpoint obtained from discovery.

Call the accounts_endpoint displayed on the screen using the access token.

For Openbanking UK testing, your client is expected to perform the following steps:

Do openid discovery, using the discoveryUrl shown in the test suite front end.

Send a client_credentials request to the token_endpoint obtained from discovery.

Create an account request, by sending a request to the account_requests_endpoint displayed on the screen.

Redirect to the authorization_endpoint obtained from discovery.

The conformance suite will return a 302 redirect straight away without the user taking any action – so there is no need for this to even be in a web browser.

Exchange the authorization code for an access token at the token_endpoint obtained from discovery.

Call the accounts_endpoint displayed on the screen using the access token.

When the test has completed, press “Continue Plan” to start the next test, or “Return to Plan” to view your progress.

Once you have successfully completed testing, please follow the submission instructions to complete the certification process.

If you require support, please email certification@oidf.org. If it relates to a test failure, please include a link to the relevant log-detail.html, or if using a local install, the downloaded log file.

Example Client

An example client can be found at https://gitlab.com/openid/sample-openbanking-client-nodejs. This is a nodejs application and requires nodejs and npm installed on your system.

You can use this client to see how your client implementation should interact with the conformance suite.

Before Running The Client

Before running this client you need to set the following environment variables:

This website uses cookies to allow us to provide you the best experience while visiting our website. By continuing to use the site, you are agreeing to our use of cookies. You can change your cookie settings at any time but if you do, you may lose some functionality. More information may be found in our Privacy Policy.Confirm